[Pulp-list] My Failed PULP setup aka SSL Errors

Gavin Jones gavinj84 at gmail.com
Wed Oct 29 23:18:14 UTC 2014 

Hi Jason and Randy,

Thanks for your assistance with this issue. Excuse the essay but I wanted
to be thorough in explaining the steps I am performing.
 Jason this is mostly your steps just re-worded to understand and hopefully
get it right.
 This example RHEL7, Apache 2.4, Pulp 2.4 , Hostname: pulp01.rap.local
*Steps: *
mkdir -pv /etc/pki/pulp_certs
cd /etc/pki/pulp_certs

openssl genrsa -out pulpca.key 2048

pulpca.key

openssl req -new -key pulpca.key -out pulpca.csr


*# On the MS Root CA*

http://localrootca/certsrv/

Request a Certificate > advanced certificate request >

Paste the pulpca.csr Into the Saved Request Section >

Certifcate Template: Web Server

Additional Attributes: Left this blank

- Base64 > Download Certificate.

scp certnew.cer as user admin across to pulp01


cd /home/admin

chown -v root.root certnew.cer

cp -v /home/admin/certnew.cer /etc/pki/pulp_certs/pulpca.crt



*# Create SSL cert for the pulp service which is run via Apache, using our
Intermediary CA cert to sign it:*

openssl genrsa -out pulp01.rap.local.key 2048

openssl req -new -key pulp01.rap.local.key -out pulp01.rap.local.csr

openssl x509 -req -days 3650 -CA pulpca.crt -CAkey pulpca.key -set_serial
01 -in pulp01.rap.local.csr -out pulp01.rap.local.crt



*# Grab the ROOT CA Cert:*

http://localrootca/certsrv/ > Download a CA certificate, certificate chain,
or CRL > To trust certificates issued from this certification authority,
install this CA certificate > certnew.csr

SCP This across to /etc/pki/pulp_certs/

mv -v /home/admin/certnew.cer /etc/pki/pulp_certs/rootca.crt
chown -v root.root /etc/pki/pulp_certs/rootca.crt

cd /etc/pki/pulp_certs
cat rootca.crt pulpca.crt > pulpca_chain.crt


As per Randy's email: to add the certs in to the ca-bundle.crt to survive
the RHEL package updates to the CA bundle.

man update-ca-trust as explained in QUICK HELP 1:

cp -v /etc/pki/pulp_certs/rootca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract && echo $?

*In the Apache Config:*

vim /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/pulp_certs/pulp01.rap.local.crt
SSLCertificateKeyFile /etc/pki/pulp_certs/pulp01.rap.local.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt         = This should
stay the same as we just updated our CA Trust???


https://pulp01.rap.local

Now Apache is telling me the SSL is self signed and should not be
trusted.... = Certificate Fail

My next question is should I be using separate SSL Certs for Apache and
PULP? As Pulp should read from Apache's SSL Certs I'd assume they would be
the same?

If they are seperate certificates to PULP is obviosuly not using the SSL
Certs from Apache and seperate certifiates should be specified in?

/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/pulp.conf
/etc/pulp/admin/admin.conf
/etc/pulp/server.conf

Thanks for your time and  look forward to understanding this better.

On Thu, Oct 30, 2014 at 12:06 AM, Randy Barlow <rbarlow at redhat.com> wrote:

> If you don't mind, it's best to reply to the list in the future.
>
> On 10/28/2014 05:57 PM, Gavin Jones wrote:
> > cat /etc/pki/entitlement/6666666.pem  this is different to the one from
> > the RHEL7 Customer Portal, as the one certificate listed from the
> > Customer Portal looks to be a combination of
> > /etc/pki/entitlement/6666666.pem and /etc/pki/entitlement/6666666-key.pem
> >
> > Maybe this is behind it and maybe I should be specifying only once cert
> > when I create the repo?
>
> Pulp prefers to get the cert and key separately, so I don't think it is
> important to combine them.
>
> > Option 1:
> >
> > I could get a free startssl cert, however does PULP really require a
> > Public CA Signed Cert just to use it? A signed Cert from an internal
> > root ca is not suffice?
>
> No, you can install your own CA on the host, which would make it a
> trusted CA. See man update-ca-trust for more info on how to do that.
>
> > Option 2: This is on a local host, still made no difference :(
> >
> > vim /etc/pulp/admin/admin.conf
> > verify_ssl = False
> > systemctl restart httpd
>
> Do you have a ~/.pulp/admin.conf? If so, is verify_ssl set in there?
>
> > Option 3:
> >
> > I have been using the same certificates I generated for the httpd
> > server, should I have not been doing this? I copied the certs I
> > generated from /etc/pki/tls/certs and /etc/pki/tls/private into
> > /etc/pki/pulp gave them the owner ship of root.apache and chmod 640 all
> > certs files.
>
> You shouldn't need to put apache's certs in /etc/pki/pulp. The certs in
> there are used by Pulp for authentication (the CA certs in there) and
> for repository authorization, if you are using protected repos.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20141030/fcda3ac6/attachment.htm>

More information about the Pulp-list mailing list